5.5.4 Module Quiz: ACLs for IPv4 Configuration (Answers) (2023)

5.5.4 Module Quiz - ACL Configuration Answers for IPv4

1. The computers used by a school's network administrators are on the network. What are the two minimum commands required to apply an ACL that ensures that only devices used by network administrators have telnet access to routers? (Choose two.)

  • 5 inch access class
  • VTY Default Access List
  • Access List 5 Permission
  • IP access group 5 in
  • IP access group 5 disabled
  • access list 5 deny all

Explanation:Named and numbered access lists can be used on vty lines to control remote access. The first ACL commandAccess List 5 Permission, allows traffic originating from any device on the network. The second ACL command,5 inch access class, applies the access list to a vty line.

2. View the configured access list.

R1# show access-listsextended IP access list 100deny tcp host host eq telnetdeny tcp host host eq telnetpermit ip any any (15 Treffer)

What are two characteristics of this access list? (Choose two.)

  • Only device can telnet to the router that was assigned the IP address
  • Device should not telnet to device
  • Any device can telnet to device
  • A network administrator would not be able to determine whether or not the access list has been applied to an interface.
  • Any device on the network (except the device) can telnet to the router assigned the IP address.
  • The access list has been applied to an interface.

Explanation:The access list stops telnet traffic from device to device It also stops telnet traffic from devices to All other TCP/IP-based transfers are allowed. The access list works because there were 15 matches in the last ACE.

3. Which command checks the number of packets allowed or denied by an ACL that restricts SSH access?

  • Show a brief description of the IP interface
  • mostrar ip ssh
  • show running configuration
  • See access lists

Explanation:OSee access listsThe command displays each line of an access list and the number of times each statement was matched. EITHERshow running configurationThe command displays the instructions as configured, but does not provide any information about the matches. EITHERmostrar ip sshThe command provides general information about the SSH configuration.

4. Which access list policy allows HTTP traffic originating from host, port 4300 and destined for host

  • access list 101 allow tcp any eq 4300
  • Access list 101 Permission TCP eq 80
  • Access list 101 Permission TCP eq www eq www
  • Access List 101 Permission TCP eq 4300 eq www
  • access list 101 allow host tcp eq 80 eq 4300

Explanation:The HTTP protocol uses port 80 and is indicated in an ACL with the parameter "eq 80" or with "eq www". The first IP address listed in an ACL is the source address along with the appropriate wildcard mask. With a source IP address of and a wildcard mask of, IP addresses from to are allowed.

5. When configuring router security, which statement describes the most effective way to use ACLs to control Telnet traffic destined for the router itself?

(Video) 5.5.2 Packet Tracer - Configure and Verify Extended IPv4 ACLs - Physical Mode

  • The ACL must be applied to each vty line individually.
  • The ACL is applied to the telnet port using the ip access-group command.
  • The ACL must be applied to all incoming vty lines to prevent an unwanted user from connecting to an unsecured port.
  • Apply ACL to vty-ilines without requiring the ingress or egress option when applying ACLS to interfaces.

Explanation:Since someone outside of the router is trying to use a protocol like Telnet or SSH to gain access to the router, the ACL address must enter the router through the vty lines.

6. Which packages would match the access control list declaration shown below?

access list 110 allow tcp any eq 22
  • any TCP traffic from the network to any destination network
  • SSH traffic from the network to any destination network
  • SSH traffic from any source network to the network
  • any TCP traffic from any host to the network

Explanation:the declarationaccess list 110 allow tcp any eq 22, corresponds to the traffic on port 22, which is SSH, originating from the network to any destination.

7. Consider the access list command applied externally to a serial port on the router.

access list 100 deny icmp any echo reply

What is the effect of applying this access list command?

  • Users on the network cannot relay traffic to other destinations.
  • The only traffic that is rejected is ICMP-based traffic. Any other traffic is allowed.
  • The only traffic that will be dropped is echo replies coming from the network. Any other traffic is allowed.
  • Outgoing data traffic is not allowed on the serial interface.

Explanation:At the end of each extended access list is an implicit IP deny policy, so no traffic can be sent out the serial port.

8. Consider the following output for an ACL applied to a router using the access-class command. What can a network administrator determine from the displayed output?

R1# <skipped output>default IP access list 210 allow, wildcard bits (2 matches) 20 deny all (1 match)
  • Traffic from a device could not enter one port on the router and be routed on another port on the router.
  • Two devices can access the router via SSH or Telnet.
  • Two devices connected to the router have the IP addresses 192.168.10.x.
  • Traffic from two devices was allowed to enter one port on the router and exit to another port on the router.

Explanation:Oaccess classThe command is only used on VTY ports. The VTY ports support Telnet and/or SSH traffic. The Match Allowed ACE indicates how many attempts were allowed using the VTY ports. The Deny Match ACE shows that a device on a network other than was unable to reach the router through the VTY ports.

9. What are the two commands that configure a default ACL? (Choose two.)

(Video) 5.5.5 labsim

  • Router(config)# access-list 45 permite host
  • router(config)# access list 10 permissions any
  • Router(config)# access-list 20 allow host any any
  • Router(config)# access-list 35 permite host
  • enrutador (config) # access list 90 permission

Explanation:Standard access lists have the syntax ofaccess listand a number between 1 and 99, followed byto allowodenykeyword and source IP address (including a wildcard mask).

10. What incoming ICMP message should be allowed on an external interface to facilitate troubleshooting?

  • Reply with timestamp
  • timestamp request
  • echo request
  • echo response
  • router advertisement

11. Which two ACEs can be used to deny IP traffic from a single source host to the network? (Choose two.)

  • Access List 100 Deny IP
  • Access list 100 deny IP host
  • Access list 100 deny IP host
  • Access List 100 Deny IP
  • Access List 100 Deny IP
  • Deny access list 100 IP

Explanation:There are two ways to identify a single host in an access list entry. One is to use the host keyword with the host's IP address, the other is to use a wildcard mask of with the host's IP address. The source of traffic to be examined by the access list is first in the syntax and the destination is last.

12. An administrator has configured an access list on R1 to allow SSH administrative access from host Which command applies the ACL correctly?

  • R1 (config line) # access class 1 in
  • R1 (configuration line) # class 1 access disabled
  • R1 (config-if) # IP access group 1 disabled
  • R1 (config-if) # IP access group 1 in

Explanation:Administrative access via SSH to the router is done through the vty lines. Therefore, the ACL must be applied to these lines in the input address. This is done by entering line configuration mode and issuing theaccess classDomain.

13. What are two keywords that can be used in an access control list to replace a wildcard mask or a wildcard mask-address pair? (Choose two.)

(Video) Firepower Remote Access VPN Configuration

  • No
  • any
  • gt
  • host
  • most
  • some

Explanation:OhostThe keyword is used when a specific device IP address is used in an ACL. For example, himDeny host command is the samedeny OanyThe keyword is used to allow any skin that meets the criteria. For example, himallow anythe command is the samePermission

14. What are the two packet filters that a network administrator can use for an extended IPv4 ACL? (Choose two.)

  • computer type
  • destination MAC address
  • Destination UDP port number
  • ICMP message type
  • Quell-TCP-Hello-Address

Explanation:Extended access lists typically filter by source and destination IPv4 addresses and TCP or UDP port numbers. Additional filtering can be provided for record types.

15. The second ACE shown in the following example incorrectly specified port 400 instead of port 443. What is the best way to correct this error?

R1# show access listsExtended IP access list SURFING 10 allowed TCP any eqwww 20 allowed tcp any eq400R1#
  • Copy the ACL into a text editor, correct the ACE, and copy the ACE back to the router.
  • Create a new named ACL and apply it to the router interface.
  • Enter allow tcp any eq 443.
  • Enter keyword #20 and then enter permission tcp any eq 443.
  • Delete the entire ACL and recreate it with the correct ACE.

Explanation:You can use the...IP access listCommand to edit an existing named or numbered ACL. ACL ACEs can be removed withNOcommand followed by the sequence number.

16. A network administrator must configure a default ACL so that only the administrator's workstation with IP address can access the virtual terminal on the main router. What are the two configuration commands that can accomplish the task? (Choose two.)

  • R1(config)# access list 10 allowed host
  • R1(config)# access list 10 permission
  • R1(config)# access list 10 permission
  • R1(config)# access list 10 permission
  • R1(config)# access list 10 permission

Explanation:To allow or deny a specific IPv4 address, use the wildcard mask0.0.0.0(used after the IP address) or wildcard mask keywordhost(used before IP address) can be used.

17. A network administrator writes a standard ACL to deny all traffic on the network, but allows all other traffic. What two commands should be used? (Choose two.)

  • R1(config)# access list 55 deny all
  • R1(config)# access-list 55 permite qualquer
  • R1 (config) # access list 55 host
  • R1(config) # deny access list 55
  • R1(config) # deny access list 55
  • R1(config)# access list 55

Explanation:To deny traffic from the network, thedeny access list 55 is used. To allow all other traffic, theaccess list 55 allows anyadded statement.

(Video) Sleep, Wake, Autoshutdown, WOL and Reset Permissons on Openmediavault

18. In the following example, you forgot to enter an ACE to reject the user with IP address What command would the ACE correctly enter to filter this address?

R1# Show access-listsPermit-Net extended IP access-list 10 Permiso de IP any 20 Permiso de IP anyR1#
  • Negar host IP
  • 5 Negar host IP
  • 15 Negar host IP
  • 25 Negar host IP

Explanation:The host must be filtered out first, so adding the string 5 to the beginning of the ACE would insert it before the network is allowed.

19. You create a default ACL called PERMIT-VTY to allow only one vty administrative host to access the router. What line configuration command would correctly apply this ACL to the vty lines?

  • Access the PERMIT-VTY class in
  • PERMIT-VTY outside access class
  • PERMIT-VTY IP access group in
  • PERMIT-VTY IP access group disabled

Explanation:Oaccess group ACL-Name emThe line configuration mode command correctly applies a default ACL to vty interfaces.

20. What is the impact of the extended tcp 10.10.100 any eq www permission with the ACE name if it is implemented deeper into a G0/0 interface?

  • All TCP traffic is allowed and all other traffic is denied.
  • All traffic from 10.10.100/24 ​​is allowed on any port.
  • The router rejects the command because it is incomplete.
  • Outgoing traffic from 10.10.100/24 ​​is allowed for all TCP port 80 destinations.

Explanation:Outgoing traffic from 10.10.100/24 ​​is allowed to all destinations listening on TCP port 80 (i.e. www).

21. What changes the CLI message after entering the ip access-list extended AAAFILTER command in global configuration mode?

  • R1(config-ext-nacl)#
  • R1 (config-si) #
  • R1 (config line) #
  • R1 (Router Configuration)#
  • R1 (config-std-nacl)#

Explanation:After entering the command, enter the extended ACL configuration mode named R1 (config-ext-nacl).

Top Articles
Latest Posts
Article information

Author: Moshe Kshlerin

Last Updated: 06/08/2023

Views: 5794

Rating: 4.7 / 5 (57 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.